[00:18.630 --> 00:26.950]  Presenting the Detecting the Not PowerShell Gang with Tez. And with that, I will let Tez take it away.
[00:28.130 --> 00:35.310]  All right, thank you so much. Hello, everyone. Welcome to this talk titled Detecting the Not
[00:35.310 --> 00:42.570]  PowerShell Gang. It's by me, Tez. You can find me on Twitter, anywhere else, TezManager.
[00:42.970 --> 00:47.610]  All right, let's get to know me for a little bit. I'm a Threat Hunter working for
[00:47.850 --> 00:56.510]  a major Canadian communication company. We also do MSP, MSSP, ISP, whatever you can think of.
[00:56.510 --> 01:01.950]  So my main tasks in this company is to do threat hunting, a lot of involvement with
[01:01.950 --> 01:08.630]  threat intelligence also, and a lot of automation, which is programming, coding, etc. I have some
[01:08.630 --> 01:14.410]  previous experience in application security, and also some security auditing slash legal.
[01:14.410 --> 01:21.070]  I graduated from Sheridan College, so I am based in Toronto, Canada. So if you're around,
[01:21.070 --> 01:25.510]  you know, like if you're a company around Canada and you're looking for good talents,
[01:25.510 --> 01:31.570]  you can definitely look into that school. So yeah, so that's pretty much me with my
[01:32.430 --> 01:38.630]  medium, small security budget, fighting the bad people one lock at a time.
[01:39.430 --> 01:45.170]  All right, so if you ask, like, you just do work? No, I do play a lot. I like to do fun security
[01:45.170 --> 01:51.630]  stuff, CTF. I like presenting, attending conferences. I also love to do photography,
[01:51.630 --> 01:57.710]  specifically astrophotography, some landscape photography. Also, I do have a drone and just
[01:57.710 --> 02:03.770]  taking pictures and videos. I play guitar at times, and I love to go to festivals and concerts.
[02:03.770 --> 02:09.370]  And of course, like everyone else, gaming, it's something that it's always fun to do.
[02:09.770 --> 02:17.710]  Just some pictures of me doing stuff, taking picture of stuff, just to show that I'm not
[02:17.710 --> 02:22.610]  working all the time. All right, first of all, let's start with disclaimer. All the opinions
[02:22.610 --> 02:33.130]  are my own, and this doesn't reflect any views of my employer. So with that in mind, let's move
[02:33.130 --> 02:38.690]  forward. So also note, this presentation, it's actually a compressed version of similar
[02:38.690 --> 02:44.010]  presentation that I did in HackFest last year. So if you would like to see more about the tools,
[02:44.010 --> 02:49.350]  demonstration, et cetera, you can go watch it on HackFest YouTube channel. The link is there.
[02:49.650 --> 02:52.830]  The slides, also the extended version, are available on my GitHub.
[02:53.910 --> 03:01.330]  Okay, so let's talk about the content. We just, you know, talking about me. So we got
[03:01.330 --> 03:08.270]  three major parts. We'll have some introduction about the gang itself. How do we detect each
[03:08.270 --> 03:13.770]  member of the gangs? There's some bonus detection. There's some bonus members of the gang. And we
[03:13.770 --> 03:20.930]  close everything with some outro and a Q&A at the end. Yeah, so in this section, we'll get the basic
[03:20.930 --> 03:29.190]  understanding of what is exactly not PowerShell gang, not PowerShell tools. So I did this research
[03:29.970 --> 03:37.750]  roughly like one to two years ago. And I see a bunch of, we actually see a bunch of tools that
[03:37.750 --> 03:44.610]  acting the same way, that act to try to avoid PowerShell security logging and mechanism,
[03:44.610 --> 03:51.150]  but they achieve it with different ways. So this is really interesting to me. So I just pretty much
[03:51.150 --> 03:56.370]  bundled them together and then, yeah, build detection for all of them and then see the
[03:56.370 --> 04:03.430]  unique way each one of the tools doing. So one question you're going to ask, like, why these
[04:03.430 --> 04:08.770]  tools even exist? Why don't they just use PowerShell? Well, because the PowerShell love
[04:08.770 --> 04:13.910]  Blue Team. This is a blog post that they posted back in 2015 when they released version 5 of
[04:13.910 --> 04:20.870]  PowerShell. They released a lot of security feature and it is actually really bad for Red Team. So
[04:21.630 --> 04:26.950]  pretty much friendship ended with the Red Team. Now Blue Team is Microsoft's best friend.
[04:27.650 --> 04:37.370]  So is it that bad? Actually, it is. You get protected logging. So whenever you type anything,
[04:37.370 --> 04:41.930]  PowerShell will be locked. Whenever you enter a script and you enter commands, it will be locked.
[04:41.930 --> 04:46.870]  If the Blue Team have centralized theme, that's it. That's the end for the defender.
[04:46.870 --> 04:52.090]  Sorry, for the attacker, right? Also, I'm saying integration, which is anti-malware
[04:52.830 --> 04:57.690]  mechanism. So there's a lot of bypass being released, but this is pretty much a never-ending
[04:57.690 --> 05:03.790]  race between Microsoft and then the Red Team slash offensive tool makers. So they bypass the patch.
[05:03.790 --> 05:09.070]  They bypass the patch. It's just never-ending. And lastly, we got the Constraint Language Mode,
[05:09.070 --> 05:16.490]  CLM, that able to limit the capability in the sensitive environment, for example,
[05:16.490 --> 05:19.810]  in your PCI DSS server, in your production server. You can limit
[05:19.810 --> 05:24.110]  things to do with PowerShell. So that's not really good, actually.
[05:25.870 --> 05:33.050]  Five years later, so there was this EMA, Ask Me Anything, event going on in one of the
[05:33.550 --> 05:39.990]  Slack channel of one of the big security company in the US. So I just jump in and ask the question,
[05:39.990 --> 05:44.630]  from your recent engagement, do you still use PowerShell at all? And then most of the answer
[05:44.630 --> 05:51.970]  is like, not really. We just drop it. We don't really use it. So that's the idea how bad it is.
[05:51.970 --> 05:58.010]  Even five years later, people just start forgetting PowerShell at all. And that's
[05:58.010 --> 06:05.710]  why we have the whole game. So now we understand what's not PowerShell. And then let's move forward
[06:05.710 --> 06:13.250]  and just get some understanding about the detection. Make sure that you have these
[06:13.250 --> 06:17.390]  requirements ready if you're trying to deploy this detection, because this is
[06:17.390 --> 06:24.850]  the environment that I have, that we have, when we tested it. And then, yeah, pretty much
[06:24.850 --> 06:31.110]  the whole goal of this presentation is to utilize your locks. So you can use whatever
[06:31.110 --> 06:38.230]  same solution you want, Splunk, Elk, ArcSight. I can keep going on and on, but you get the idea.
[06:38.230 --> 06:44.990]  So, yeah. So there's two types of detection that I will be sharing. The first one will be
[06:44.990 --> 06:50.110]  the low-hanging fruits, the easy detection that's easy to create and easy to bypass. The next one
[06:50.110 --> 06:56.660]  is a more complicated detection, the advanced detection based on TTP or behavior of the tools.
[06:57.770 --> 07:06.430]  It's really kind of hard to make, but also kind of hard to bypass by the attacker. So we'll see.
[07:06.430 --> 07:10.330]  So the first tool, we call it InFishyShell, not we call it,
[07:10.330 --> 07:15.210]  the maker call it InFishyShell. The tagline is like, sure, we can hook it, because
[07:16.470 --> 07:21.950]  the people from Javelin Networks, when they make this, all they do in the tools is just hooking,
[07:21.950 --> 07:27.630]  hooking, hooking. They hook the SystemManagementAutomation.dll, the library of PowerShell.
[07:27.630 --> 07:32.890]  They hook the SystemCorner.dll to bypass the logging mechanism, and then they hook the
[07:32.890 --> 07:39.370]  anti-malware mechanism. They just hook everything. But it works perfectly fine,
[07:39.370 --> 07:44.550]  because when they hook it, and then they override the input length for those attributes, the three
[07:45.290 --> 07:51.390]  attribute buff, into zero length. So it's pretty much non-existent, which equals to
[07:52.200 --> 07:55.990]  not functioning PowerShell detection, which is great for them.
[07:57.390 --> 08:02.590]  So we have five detection here. We got the first one is low-hanging fruits.
[08:02.590 --> 08:10.130]  So as you can see there, there is a dll called InFishyShellProfiler.dll, and then there's a
[08:10.130 --> 08:15.630]  bat file that run with pat as admin. So this file are pre-compiled already, so it's available on
[08:15.630 --> 08:21.210]  the GitHub. So when people run it as is, you can detect it. That's the goal of low-hanging fruits.
[08:21.210 --> 08:27.290]  You detect it by using sysmoniv-97 and sysmoniv-91, and you deploy the role in your scene.
[08:28.030 --> 08:33.930]  When you run the tools the first time, you will see this unique trace on sysmoniv-91.
[08:34.050 --> 08:39.090]  You will see a PowerShell in the command line section, in the command line field,
[08:39.090 --> 08:45.770]  just PowerShell, no exe, no parameters, etc. And then the parent command line will uniquely be
[08:46.550 --> 08:53.950]  exe that is calling a bat file. You get the idea. So there's exe and a bat file in the same
[08:53.950 --> 08:59.430]  parent command line. So we can combine these two information and then make a detection out of it,
[08:59.430 --> 09:05.310]  which is what we do, what I do. And then the next one, this tool is actually able to do some
[09:05.310 --> 09:12.370]  privilege escalation by adding some entries in the registry key. So we need to watch when they
[09:12.370 --> 09:19.390]  do this using rec.exe, for example. And then there's a certain value, specifically inproc
[09:19.390 --> 09:26.530]  surfer32, and those flags that you can see. The parent command line will be the same
[09:28.330 --> 09:33.390]  parent command line as the previous one. So you will have the .exe and then the .bat.
[09:33.990 --> 09:39.250]  Again, if you combine that and then you combine additionally the rec.exe tools,
[09:40.110 --> 09:46.270]  you pretty much have pretty strong detection there. The next one, it's the inproc surfer32
[09:46.270 --> 09:54.630]  registry key changes, or additional, to say. So if you see here, you can see the target object
[09:54.630 --> 10:01.430]  is the inproc surfer32. But they're trying to load the malicious... not malicious, like the...
[10:01.430 --> 10:08.970]  not PowerShell DLLs that they are using, which is the InfoShellProfiler.dll. So you can watch
[10:08.970 --> 10:15.410]  for anything that is not system32 being loaded to this particular target object,
[10:15.410 --> 10:20.110]  because that's kind of fishy. And again, you will be using Sysmon,
[10:20.110 --> 10:24.890]  specifically event ID 13 of the registry value set.
[10:26.890 --> 10:33.210]  The last detection for this tool, it's actually watching the DLL being loaded
[10:33.210 --> 10:40.290]  to the legitimate PowerShell, because again, it will hook the PowerShell library. So there will
[10:40.290 --> 10:47.470]  be... you need to load the module from the DLL to the exe. But the thing is, usually PowerShell
[10:47.470 --> 10:52.870]  will load stuff from Microsoft, because it's a Microsoft tools. And then you can also see
[10:52.870 --> 10:58.290]  the signature status, it's false and also unavailable. So that's kind of questionable.
[10:58.290 --> 11:05.810]  We can combine this... what do you call it... interesting thing, combine it together,
[11:05.810 --> 11:09.130]  and you can make a row out of it and start building detection on it.
[11:09.870 --> 11:16.090]  And the next tool is PowerShell DLL. So it's not PowerShell, it's PowerShell DLL.
[11:16.450 --> 11:21.730]  And the tagline for this, yeah, we got DLL for that, because it's on the name already.
[11:21.730 --> 11:28.970]  So Penta pretty much created... this is also one of the tools that is having a lot of stars in
[11:28.970 --> 11:35.870]  GitHub. So this tool actually has two modes. You can use the DLL mode and then the exe mode.
[11:35.870 --> 11:43.470]  For the DLL mode, you need to use the DLL loader. So this is a low bus component that will be used.
[11:43.730 --> 11:51.010]  And you'll load the particular DLL that you feed. Or you can use a pre-compiled exe. So you just
[11:51.010 --> 11:57.510]  run the double-click exe and it will just do the job. So you'll use... there's options of five
[11:57.510 --> 12:05.770]  different DLL loader thing or proxy execution exe that you can use. So this binary is signed
[12:05.770 --> 12:14.430]  by Microsoft. So sometimes it's not... it's normal when people whitelisted it. So make sure you pay
[12:14.430 --> 12:21.910]  attention in this particular area. And then moving forward for the exe mode, it will load
[12:22.430 --> 12:30.170]  the exe itself. It loads 57 PowerShell automation DLLs and other supporting DLLs for the operation.
[12:30.170 --> 12:36.750]  So all the lists... all the 57 DLLs are listed on the appendix at the end of the presentation.
[12:37.930 --> 12:43.150]  For the detection, we get four things here. We get the low-hanging fruits, which is
[12:44.630 --> 12:51.010]  simple thing like description field, product field, even the image, so the file name itself.
[12:51.370 --> 12:55.650]  So you can definitely use that. Again, this is a low-hanging fruit detection.
[12:56.310 --> 13:01.590]  Just a tip, if you want to change it, you can just go to the code before you compile it. And then
[13:01.590 --> 13:07.710]  those are the information by default, the PowerShell DLL, copyright 2016. You can easily
[13:07.710 --> 13:13.050]  change it to anything. But again, low-hanging fruits detection is supposed to be easy detection.
[13:13.590 --> 13:21.170]  The next one, PowerShell DLL loading DLLs. To be precise, PowerShell DLL loading the PowerShell
[13:21.170 --> 13:27.590]  DLLs, so the real PowerShell DLLs. So this is applicable for the DLL mode. For example,
[13:27.590 --> 13:34.790]  you're running it using the runDll32.exe. And then runDll32.exe is loading a bunch of
[13:34.790 --> 13:42.210]  PowerShell-related DLLs. It's like they're trying to do something related to PowerShell, right?
[13:42.230 --> 13:47.630]  So yeah, that's what they're trying to do. So we can watch them, again, with the system 1.97.
[13:48.690 --> 13:53.630]  And then more general to that, we can actually watching what the loaders do. So whenever they
[13:53.630 --> 14:00.270]  are loading unsigned DLLs or the DLLs that doesn't have any signature, we can create an
[14:00.270 --> 14:06.130]  alert on that. But the problem with this, it's actually quite noisy. There's some application,
[14:06.130 --> 14:12.770]  third-party application that do this. On the top of my head, I can say notepad++ do that.
[14:12.770 --> 14:17.930]  So that's the first thing that triggers the role when we deploy it in the production. I'm like,
[14:17.930 --> 14:26.450]  okay. But yeah, you can whitelist it for sure. The next one is when the exe mode loading 57
[14:26.450 --> 14:32.330]  different DLLs. So this will happen in a millisecond, just like that. Just instantly
[14:32.330 --> 14:41.130]  load 57 DLLs. And you can see all of this from system 1.97, but make sure you add those DLLs
[14:41.130 --> 14:47.110]  into the system 1.config. Just make sure you modify the config to watch for those specific DLLs.
[14:47.930 --> 14:52.630]  For this, to make it easier or to make it detection better, you can use correlation
[14:52.630 --> 15:01.450]  or cardinality. So whenever one DLL is being loaded, the rule itself will look for the other
[15:01.450 --> 15:08.110]  56 DLLs if it's being loaded around maybe like in the last one minute or like in the last 50 seconds,
[15:08.110 --> 15:14.770]  et cetera. So you can just see if at the end, like as a bigger picture, if all of them being
[15:14.770 --> 15:19.990]  loaded at the same time. So some examples of correlation on the same that you can do is elastic
[15:19.990 --> 15:26.030]  search. I think they have cardinality rules. ArcSight correlation engine for sure. And then
[15:26.030 --> 15:32.430]  Splunk, you can combine multiple indicators. So you will have 57 indicators. And then when
[15:32.430 --> 15:38.290]  everything trigger at the same time, you create a rule out of it. And then you can also use elastic
[15:38.290 --> 15:45.070]  Kibana heat map if you want your analysts to do that just to look into stuff. And you can do it
[15:45.070 --> 15:52.510]  over Python for sure because, yeah, what Python cannot do, right? Powerless shell, the next tools,
[15:52.510 --> 15:59.230]  the tagline is don't worry, we got Lullabas here because Mr. Unicoder, I think he's in Montreal,
[15:59.230 --> 16:07.670]  local Canada also. So yeah, so what in his mind when making this tool is just to use a lot of
[16:07.670 --> 16:15.450]  Lullabas. There's two Lullabas specifically being used here, the msbuild.exe that will be used to
[16:15.450 --> 16:20.870]  compile a payload that you send from the outside from attacker machine to the target machine.
[16:21.090 --> 16:27.870]  So it relies on the msbuild.exe for execution. So it will provide a script, either PowerShell
[16:27.870 --> 16:33.770]  or whatever, and then it will compile it for you. But the unique thing is they are not using the
[16:33.770 --> 16:40.130]  one that is already in the machine. So they bring the whole exe from the outside and then rename it
[16:40.130 --> 16:45.030]  to something else. It can be something random, it can be to a known process name, for example,
[16:45.030 --> 16:53.490]  cog.exe or cnd.exe. And then from there, it will get the instruction from the script file,
[16:53.490 --> 16:58.390]  from the PowerShell script or whatever script you provided. It will encode the command using
[16:58.390 --> 17:03.410]  certutil, another Lullabas, and then they'll perform some kind of obfuscation, make it
[17:03.410 --> 17:08.330]  confusing for the analyst, for the blue team. So you can see here the function and variable names
[17:08.330 --> 17:13.930]  is just like mumbo-jumbo. You don't understand what it is. The last component, not the last
[17:13.930 --> 17:18.250]  component, it's the component that is sitting on the upside on the attacker machine to generate
[17:18.250 --> 17:24.970]  all of those stuff are a PowerShell.py, which is like a Python code that pretty much the engine
[17:24.970 --> 17:31.630]  of the tool will create everything. And then you can ship those three files to the victim machine.
[17:33.410 --> 17:43.050]  For the detection for the low-hanging fruits, we will have a creation of the... remember that
[17:43.050 --> 17:49.570]  they will rename the msbuild.exe. So you can check on the .NET Framework folder if there's
[17:49.570 --> 17:56.630]  any new exe file being created. For example, if you see cnd.exe created in the .NET Framework
[17:56.630 --> 18:05.650]  folder, that will be so suspicious. You'll be using SysModify11 for that. PowerShell logging,
[18:06.110 --> 18:11.590]  well, it's because this tool is not really evading the PowerShell detection.
[18:11.590 --> 18:20.210]  It is still recording the output of the PowerShell script being deobfuscated. So after
[18:20.210 --> 18:26.530]  all the encoding, you can still see the final content of the code. You can detect more PowerShell
[18:26.530 --> 18:35.970]  payload, etc. using the Event ID 4104 from the Microsoft App, if I'm not mistaken.
[18:36.730 --> 18:45.610]  Moving on, detecting the low-bass. The first component 3A is CircUtil. So because they
[18:45.610 --> 18:50.470]  encode the thing, the payload, they need to decode it in the victim machines.
[18:50.470 --> 18:55.990]  So they use CircUtil to decode the hex. So you can watch for any CircUtil doing
[18:56.530 --> 19:01.690]  decode hex function, because it's actually really rare in the production. You can use
[19:01.690 --> 19:08.030]  SysModify11 for that. And then the next part of it, the second half, it's msbuild.exe,
[19:08.030 --> 19:13.930]  the renamed one. So not really msbuild as the name, but it is from the description field,
[19:13.930 --> 19:18.590]  you know it's msbuild, because the only way you can change the description field is to
[19:18.590 --> 19:23.470]  reverse engineer the whole application and then change the value, which is like too much work for
[19:23.470 --> 19:33.590]  just evading this stuff, right? So the msbuild.exe will be combined with the random 5 to 25 upper
[19:33.590 --> 19:41.330]  and lower characters. So you can watch on that combination, SysModify11 again.
[19:41.430 --> 19:46.530]  Process masquerading, this pretty much can cover not only these tools, but pretty much any
[19:46.530 --> 19:53.910]  masquerading, which is always suspicious. So the file msbuild.exe being renamed to smss.exe,
[19:53.910 --> 20:01.070]  or on the right side, you can see it's a random name, can't even pronounce it.
[20:01.250 --> 20:08.570]  Again, SysModify11 for both. And then we have number five, the .NET DLL loading. So you see
[20:08.570 --> 20:19.070]  here in the image, it's smss.exe. We already know it's not sms, but we can see why does sms.exe is
[20:19.070 --> 20:27.350]  loading Microsoft build or msbuild.tas.dll. So that's definitely suspicious, so you can build
[20:27.350 --> 20:35.410]  detection on this. SysModify11 again. And lastly, PowerShell DLL loading,
[20:35.410 --> 20:47.410]  that is always visible via process access. So again, our .exe, smss.exe, can be seen
[20:48.210 --> 20:56.870]  making some access trying to touch poking systemmanagementautomation.dll, which is again,
[20:56.870 --> 21:03.970]  it's a PowerShell engine. Why would smss.exe doing that? Are they trying to get some functionality
[21:03.970 --> 21:09.730]  out of it? Probably is. So you can use SysModify11 to build that. You can combine all this information
[21:09.730 --> 21:17.110]  together. Tools number four, no PowerShell. The tagline is, can you C-sharp? Because
[21:17.730 --> 21:25.970]  bits.admin create this tool implemented in C-sharp. And this is really popular these days.
[21:25.970 --> 21:33.130]  If you look for offensive researcher, they start using more C-sharp, C-sharp, C-sharp.
[21:34.210 --> 21:40.450]  Because it's hard to detect C-sharp operation because it's not using PowerShell. It's not
[21:40.450 --> 21:47.470]  using PowerShell DLLs. It's just go straight to the native.net library. And this tool,
[21:47.470 --> 21:53.310]  it's actually trying to mimic PowerShell. So you get the same cmdlets. For example,
[21:53.310 --> 22:01.810]  you have things like get process, get user, et cetera. There's two modes. You can run it by using
[22:03.250 --> 22:09.430]  rundll32, again, similar to PowerShell DLL. Or you can run it using CobaltStrike.
[22:10.130 --> 22:15.890]  There's two components. For CobaltStrike, you get the exe file, and then you get the cmi,
[22:15.890 --> 22:21.830]  the CobaltStrike file. For the DLL, there's two options that you can do, depending on your target
[22:21.830 --> 22:29.190]  machine. You can use the 32-bit DLL or the 64-bit DLL. And then you will need to load it using
[22:29.190 --> 22:37.250]  rundll32. But I suspect you can use the other DLL loader. And it's exactly acting like
[22:37.830 --> 22:44.530]  PowerShell DLL mode. We get forward detection for this. Low hanging fruits,
[22:44.530 --> 22:51.430]  again, because it's written in C Sharp, based on .NET. Just look for a description product,
[22:51.430 --> 22:58.850]  just in case the user forget to change it. Because it is always true, true positive
[22:58.850 --> 23:06.730]  when this value showing up in your logs. This is not false negative. This is true positive always.
[23:07.870 --> 23:13.650]  So for the CobaltStrike mode detection, well, unfortunately, our team doesn't have access to
[23:13.650 --> 23:19.310]  CobaltStrike yet. If we can find some CobaltStrike people after this talk, maybe we can build
[23:19.310 --> 23:28.550]  detection on it. Yeah, but thanks to Olaf Hartog, we get detection. He created detection
[23:29.310 --> 23:38.850]  on this particular mode by using Event ID 8 from Sysmon. So you will see there the event
[23:38.850 --> 23:44.130]  description of create remote thread. The process name will contain PowerShell.exe.
[23:44.130 --> 23:49.110]  But the unique thing here, you will see that target process address will always end
[23:50.770 --> 23:59.310]  with 0B80, which is really unique. But there's more story if you read in the blog. There's some
[23:59.310 --> 24:04.870]  interaction between him and also the creator of the tools, and they made some changes, and then
[24:04.870 --> 24:09.150]  it's no longer the case. But still, if someone used the older version of the tools, they can
[24:09.150 --> 24:15.810]  still detect this. DLL modes, again, similar to PowerShell DLL, you need to watch the loaders.
[24:15.810 --> 24:24.890]  Whenever run DLL 32 is loading unsigned or not available signature DLLs, you create alert on that.
[24:27.460 --> 24:33.260]  And then the next one is .NET version downgrading. So this is actually happened by mistake. So I
[24:33.260 --> 24:40.880]  forget that this tool require a lower version of .NET. So I run it in the version 4 or 4.5,
[24:40.880 --> 24:46.540]  if I recall. And then it's just like, oh, I don't like this version. Can you bring it down?
[24:46.540 --> 24:54.580]  And it actually can. So it tries to call the Fondue.exe, which is, I think, an upgrade downgrade
[24:55.480 --> 25:02.500]  exe on the Windows server, and then ask them to enable feature the .NET FX3, which is the
[25:02.500 --> 25:09.320]  version for the 2.3.5. So you can watch that on SystemManager 91. But the thing is,
[25:09.320 --> 25:14.780]  legitimate application might do this, because, hey, who doesn't love doing backtrack using old
[25:14.780 --> 25:22.240]  application, right? So, yeah. Other than that, we got some bonus here.
[25:22.740 --> 25:29.180]  We got two tools that is pretty similar to PowerShell, or no PowerShell for the
[25:29.180 --> 25:35.040]  SharpQuick. So the first one will be PowerLine. It use MSBuild, really remind you to PowerShell,
[25:35.180 --> 25:42.260]  a lot of compilation stuff. And SharpQuick will be, this is actually a tool they use to demonstrate
[25:42.960 --> 25:48.300]  or test the blocking of PowerShell, and just to bypass AppLocker, because I don't think
[25:48.300 --> 25:55.540]  Red Teamers like AppLocker at all. Bonus detection IDS, Sysmon Event ID 10,
[25:56.100 --> 26:02.300]  process access. So any application that accessing PowerShell VLL, but not PowerShell, because you
[26:02.300 --> 26:09.560]  are not supposed to do that. Windows PowerShell Event ID 4103. So this is locked from PowerShell.
[26:09.560 --> 26:15.780]  But when the context application is not PowerShell, isn't it questionable? So yeah,
[26:15.780 --> 26:23.340]  I think we should be watching for that also. And lastly, you can use ETW for .NET library tools.
[26:23.340 --> 26:31.480]  So you can analyze this information using Message Analyzer and Lockman. But I think there's also
[26:31.480 --> 26:38.280]  some tools out there. I think Splunk have like a converter for it. There is a sealed ETW,
[26:38.280 --> 26:43.740]  Roberto Rodriguez play with it a bit. There's a series of blog talking about
[26:44.700 --> 26:49.200]  analyzing more .NET blocks. So I think it will be interesting for you to try.
[26:50.240 --> 26:57.220]  Well, that's pretty much the talk. It's pretty much, yeah, it's a compressed version,
[26:57.220 --> 27:03.600]  as I mentioned. So if you'd like to know more, you can always go to my presentation previously
[27:03.600 --> 27:10.400]  on Hackfest. Just some messages for red team, blue team. So just do all of this stuff. Use
[27:10.400 --> 27:15.680]  PowerShell, update PowerShell over blue team, et cetera, et cetera. And lastly, of course,
[27:15.680 --> 27:21.020]  be nice to each other. If you're a purple team, you can take both sides. Yeah, at the end of the
[27:21.020 --> 27:27.000]  day, we need to be nice for each other because we are in the same boat. At the end of the day,
[27:27.000 --> 27:33.440]  we just want to be Megazord and protect our security company, not security company,
[27:33.440 --> 27:41.000]  our organization. We work together and then, yeah, we just upgrade our security posture.
[27:42.080 --> 27:48.020]  And all right, that's pretty much it. Don't forget to grab some Sigma rules on your way up
[27:48.020 --> 27:53.260]  because I made a lot of Sigma rules just for this presentation in the past week.
[27:53.980 --> 28:01.080]  I actually never wrote Sigma rules before, but I definitely know what is Sigma rules now. So
[28:01.980 --> 28:08.880]  make sure you grab that. You can convert the Sigma rules to any other same QRadar, Splunk,
[28:08.880 --> 28:15.920]  Elastic, ArcSight, whatever you want. You can use either Encoder.io or Sigmac,
[28:15.920 --> 28:22.560]  but I tested it on Encoder.io. So all the Sigma should be able to be converted to the other type.
[28:22.560 --> 28:28.580]  If you use Encoder.io, but Sigmac, it's also an option if you like to do like CLI kind of thing.
[28:29.980 --> 28:36.140]  So I'm so sorry that I didn't mention MatterAttack right from the start because I'm a threat hunter,
[28:36.140 --> 28:43.080]  but yeah, I need to mention that. All the rules, all 20 rules that I've made for the four tools
[28:43.080 --> 28:47.740]  are mapped to the closest attack TTPs. It is also using the newest version of the
[28:49.380 --> 28:55.060]  TTPs. They're using sub techniques. So I try my best to map it. So if it's not, it's not perfect.
[28:55.060 --> 29:00.400]  And if you want to change it for sure, you can do it. Yeah. So this is the slide that you want
[29:00.400 --> 29:07.320]  to take a picture of, that you want to scan, that you want to send it to your, I don't know,
[29:07.320 --> 29:16.140]  like subordinates. So yeah, make sure you grab it. It's going to take you through my GitHub. It's
[29:16.140 --> 29:21.360]  special. Thanks to my employer, of course, for supporting me to do this understanding,
[29:21.360 --> 29:28.240]  taking me, taking sometimes to do the research. ScoobyMTL, you should have attended his
[29:28.940 --> 29:35.480]  workshop earlier today in the bootcamp village because it is great. And also my friend Avneet,
[29:35.480 --> 29:42.040]  13Avneet for inspiration, guide, and feedback. My coworkers at work literally making me
[29:42.040 --> 29:47.780]  understand PowerShell from zero to hero. And also .NET. I don't really like .NET.
[29:47.780 --> 29:55.100]  Amazing not PowerShell tools creators, like making us the blue teamers need to spin our head around,
[29:55.100 --> 30:00.860]  do a lot of research. And lastly, not lastly, in Fawcett community, Olaf Hartongs for the
[30:00.860 --> 30:09.080]  detection, and he will be speaking later tonight. So make sure you check that. Sigma team,
[30:09.080 --> 30:16.800]  because it's a really useful tool. And please, the last and not the least,
[30:16.800 --> 30:23.240]  DEF CON, thank you so much for accepting my talks, for the volunteers, for your time,
[30:23.240 --> 30:28.340]  and all the attendees for the talk right now. Thank you so much. If you'd like to connect with
[30:28.340 --> 30:34.300]  me and my team, you can. You can find me on Twitter, on GitHub, on LinkedIn, if you'd like
[30:34.300 --> 30:41.060]  to be more professional. Or you can check out a blog for my team, Threat Hunting Team on Medium,
[30:41.060 --> 30:49.920]  and Hunting Threat on Twitter. We posted stuff sometimes. And yeah, if you scan this barcode,
[30:49.920 --> 30:54.260]  it will take you to my GitHub page, pretty much where all my presentation is.
[30:54.560 --> 30:57.980]  So yeah, that's pretty much my presentation. Thank you so much.
[30:59.200 --> 31:06.040]  Thank you very much, Tez, for the wonderful presentation. As always, we encourage you guys
[31:06.040 --> 31:14.740]  to join our Blue Team Village Discord server and ask questions in text talk track one.
[31:15.220 --> 31:26.240]  And yeah, if there's no questions, which I do not see at the moment, I think we are set.
[31:26.240 --> 31:31.600]  And the presenter will be around for a little bit to answer questions, otherwise.
